1 00:00:00,480 --> 00:00:06,770 Hello and welcome back I need you to understand that DCB IP packet headers. 2 00:00:06,770 --> 00:00:14,890 I mean one of you might say what the heck I mean why do we have to worry about bucket headers anticipated 3 00:00:15,630 --> 00:00:16,280 here. 4 00:00:16,420 --> 00:00:19,940 And my answer is please bear with me and find why it is important. 5 00:00:20,790 --> 00:00:25,770 If you notice that all that network access control lists and in the security groups you are talking 6 00:00:25,770 --> 00:00:28,050 about who's the source. 7 00:00:28,050 --> 00:00:28,960 What's the protocol. 8 00:00:28,960 --> 00:00:29,740 What's the point. 9 00:00:29,850 --> 00:00:35,660 And then allowed inside in the Nakul and allow in the security group. 10 00:00:35,690 --> 00:00:39,150 So these are the ways we can configure and that is inbound and outbound. 11 00:00:39,650 --> 00:00:47,380 But I need to know if I want to customize our will on getting real or not whether it's inbound or about 12 00:00:47,390 --> 00:00:48,300 doesn't matter. 13 00:00:48,470 --> 00:00:54,220 I don't to understand when the traffic hits and gets inspected what will be the fields and where it 14 00:00:54,220 --> 00:00:55,310 is going. 15 00:00:55,370 --> 00:00:58,760 If I'm sitting on a specific port is that going to be a source. 16 00:00:58,790 --> 00:01:01,530 Is it going to be the situation I need to understand. 17 00:01:02,860 --> 00:01:09,490 And this is part of that tricky choices that you will get for the security group and then to control 18 00:01:09,520 --> 00:01:10,060 this. 19 00:01:10,330 --> 00:01:12,570 So let's have a look here what do we have. 20 00:01:12,760 --> 00:01:15,170 So we have a use of the Internet on that. 21 00:01:15,180 --> 00:01:21,830 I use that on the Internet and is trying to communicate with whichever I have in my ear. 22 00:01:21,850 --> 00:01:27,040 So now maybe you see somewhere around those instances. 23 00:01:27,160 --> 00:01:33,330 And I have two subnets I have a subnet here which is and that's a public subnet and I have a different 24 00:01:33,330 --> 00:01:39,630 subnet here which is a private subnet where I have a database server I could be on my mind see my sequence 25 00:01:39,650 --> 00:01:42,800 server begin to set about whatever it is. 26 00:01:42,810 --> 00:01:46,090 OK so that the sport applies to mind as quote. 27 00:01:46,350 --> 00:01:49,740 So when the traffic comes so here is the inbound direction. 28 00:01:49,740 --> 00:01:54,740 So these are the packets and this is the response coming out to me. 29 00:01:54,960 --> 00:02:00,910 So what the sequence of events they use other types that you are of the observer. 30 00:02:00,960 --> 00:02:02,360 Like what for instance. 31 00:02:02,370 --> 00:02:04,710 W w w dogs. 32 00:02:04,860 --> 00:02:07,610 You can do it too. 33 00:02:07,880 --> 00:02:11,800 Dot com so I typed that. 34 00:02:11,800 --> 00:02:14,440 Then it goes to the DNS server on the Internet. 35 00:02:14,470 --> 00:02:20,550 The server would say you know what if you want to go to this you have to head to 11. one that 1.1. 36 00:02:21,010 --> 00:02:22,840 So the packet is formulated. 37 00:02:22,960 --> 00:02:24,880 And here is the packet. 38 00:02:24,910 --> 00:02:25,880 So what's the decision. 39 00:02:25,880 --> 00:02:29,210 IP is 11 1 1 2 1. 40 00:02:29,230 --> 00:02:36,570 So this is the packet that comes out from the user what is the point I'm trying to get to. 41 00:02:36,580 --> 00:02:43,020 I have already done w w w So this is actually ATP and HTP is port 80. 42 00:02:43,060 --> 00:02:43,520 Great. 43 00:02:43,570 --> 00:02:45,570 How will I know this is a well known port. 44 00:02:45,570 --> 00:02:53,160 So anyone working with HDTV will know or firewall or security or networking or applications know HDTV 45 00:02:53,200 --> 00:02:55,890 is port 80 people get it. 46 00:02:56,410 --> 00:02:58,320 So the distinction would be port 80. 47 00:02:58,570 --> 00:02:59,790 But who sent it. 48 00:02:59,870 --> 00:03:05,710 Because remember the traffic will come from the user to that web server and eventually settled we want 49 00:03:05,710 --> 00:03:07,380 to respond to that user. 50 00:03:07,450 --> 00:03:13,180 So I need to know they use a port and they use user IP address the source IP. 51 00:03:13,210 --> 00:03:21,670 Let's just for the sake of example let's say it is 20 200 to 1.5 that's the IP address of the user. 52 00:03:21,700 --> 00:03:25,780 So the source here is going to be 12:38 1.5. 53 00:03:26,140 --> 00:03:28,150 And what will be the source port. 54 00:03:28,150 --> 00:03:32,930 Usually the initiator of the connection because now he's going to be. 55 00:03:32,950 --> 00:03:34,850 But it's not coming from a known protocol. 56 00:03:34,870 --> 00:03:43,790 This is only a browser whether it is chrome or because Firefox or is Safadi So the source port will 57 00:03:43,790 --> 00:03:46,440 be what we call an ephemeral port. 58 00:03:46,630 --> 00:03:47,620 Great transients. 59 00:03:47,630 --> 00:03:48,640 A temporary port. 60 00:03:48,920 --> 00:03:53,770 So there is a range that the applications would use from one. 61 00:03:54,020 --> 00:03:58,050 All the way to 65 5 3 5. 62 00:03:58,100 --> 00:04:03,830 So this is a range so the user can or the application or the browser can just pick one number here let's 63 00:04:03,830 --> 00:04:05,120 say 50000. 64 00:04:05,120 --> 00:04:11,270 So the source code is from the ephemeral range and it is 15000 and then the payload itself what exactly 65 00:04:11,270 --> 00:04:14,590 am I trying to get or put or what am I trying to do here. 66 00:04:16,700 --> 00:04:24,150 It gets let's say the security group will allow us to set a vote in our So that will preserve will process 67 00:04:24,150 --> 00:04:24,470 it. 68 00:04:24,640 --> 00:04:27,440 And then there was a request to get something for me. 69 00:04:27,820 --> 00:04:33,560 Now we're getting information from the way these Web Application Data are built in the application were 70 00:04:33,600 --> 00:04:41,270 announced in a request down to the server to fetch some information that was part of the response that 71 00:04:41,470 --> 00:04:43,160 this request is expected. 72 00:04:43,330 --> 00:04:45,080 What this user is expecting. 73 00:04:45,190 --> 00:04:52,570 So how would the package look like when it comes from the web to down to the database. 74 00:04:52,570 --> 00:04:56,890 So the bucket will be the source would be the web server IP address. 75 00:04:56,920 --> 00:05:03,540 So that web server easy to instance let's say it is 10 to one that 1.1. 76 00:05:03,580 --> 00:05:04,950 And what's that station. 77 00:05:04,960 --> 00:05:19,820 My destination is that 10 to that one the one case or the destination IP address is 10 to 1 1. 78 00:05:20,400 --> 00:05:21,910 What is the destination port. 79 00:05:21,930 --> 00:05:25,080 I'm talking to the database the sequel. 80 00:05:25,110 --> 00:05:28,170 So the port is 3 3 0 6. 81 00:05:28,170 --> 00:05:31,200 So here is the port 3 3 0 6. 82 00:05:31,200 --> 00:05:32,240 What's the source IP. 83 00:05:32,250 --> 00:05:37,650 As we said it's the web server IP address or the application server IP I just end up on that on that 84 00:05:37,650 --> 00:05:38,260 one. 85 00:05:38,280 --> 00:05:39,380 What's the source for. 86 00:05:39,390 --> 00:05:40,220 Again it's emer. 87 00:05:40,230 --> 00:05:47,600 So let's say I'm going to pick or that application with Paik for all four hours. 88 00:05:47,930 --> 00:05:48,890 Good. 89 00:05:48,890 --> 00:05:56,820 Now the database that assuming that this used to look for the database that green apps allow the traffic 90 00:05:56,970 --> 00:06:00,010 that got the request not we Triche that information. 91 00:06:00,020 --> 00:06:01,730 Now it has to respond right. 92 00:06:01,730 --> 00:06:04,550 So let's look at the responses on the right side. 93 00:06:05,490 --> 00:06:07,540 Who responding now. 94 00:06:07,580 --> 00:06:12,610 The database for the return traffic is the source because he is the one responding right. 95 00:06:12,770 --> 00:06:19,610 So this would be 10 to not one not one. 96 00:06:19,610 --> 00:06:24,720 What is the source for it in this case the source port is 5:37 Why. 97 00:06:24,740 --> 00:06:30,530 Because when the work was talking it was talking 2 3 3 0 6 when a response comes out it's coming from 98 00:06:30,530 --> 00:06:36,290 3 3 0 6 or it is equal to 7. 99 00:06:36,300 --> 00:06:39,690 Now what is that web server IP address. 100 00:06:39,690 --> 00:06:42,830 We know that already that is standard one that 1.1. 101 00:06:42,870 --> 00:06:48,090 So the destination I'm going to send this to is going to conduct one point. 102 00:06:48,210 --> 00:06:50,050 What is that for. 103 00:06:50,340 --> 00:06:55,310 It is exactly the source for that came with the packet that I need to respond to. 104 00:06:55,380 --> 00:07:02,930 So it is for 4000 that comes to the Web now has all the information it needs to respond to the user. 105 00:07:02,940 --> 00:07:07,050 So it has to form or build a packet and send it to the user. 106 00:07:07,050 --> 00:07:14,730 Now what will be the headers in this case to the destination port that I'm going to send to is the same 107 00:07:14,730 --> 00:07:18,580 source source that came with the original packet that came from the user. 108 00:07:18,690 --> 00:07:21,500 So the destination port is 50000. 109 00:07:21,540 --> 00:07:24,030 Exactly what is the destination IP. 110 00:07:24,030 --> 00:07:29,420 It's exactly the same that came to me with a source packet that came from the user. 111 00:07:29,580 --> 00:07:38,540 So it's going to be 20 to one that one the life what's the source IP the source IP is that web server 112 00:07:38,540 --> 00:07:41,030 IP What is the source port 80. 113 00:07:41,030 --> 00:07:41,420 Why. 114 00:07:41,420 --> 00:07:45,680 Because when he requested the communication and sent me the packet d'Argent know he was talking to the 115 00:07:45,680 --> 00:07:49,600 HDD he said it was on the said 10. 116 00:07:49,730 --> 00:07:55,990 That one the one that one can't say here is the web server IPX. 117 00:07:56,260 --> 00:08:02,440 So if it goes out now the question I have for you is is it going to roll out all the way to the user 118 00:08:02,440 --> 00:08:05,240 with the source IP turned out one that won that one. 119 00:08:05,260 --> 00:08:06,410 The answer is no. 120 00:08:06,430 --> 00:08:07,350 Why. 121 00:08:07,360 --> 00:08:10,670 Because this is a private ITV for adverts. 122 00:08:10,810 --> 00:08:12,580 It's not even on the Internet. 123 00:08:12,580 --> 00:08:13,470 So what will happen. 124 00:08:13,480 --> 00:08:21,070 Remember when we said that the Internet Gateway will host the elastic IP or the public IP for that web 125 00:08:21,070 --> 00:08:24,100 server or that we're facing instances. 126 00:08:24,100 --> 00:08:25,330 That's exactly what will happen. 127 00:08:25,450 --> 00:08:34,360 So now the 10.0 on that one that one is going to come here and it will be translated into the public 128 00:08:34,360 --> 00:08:37,110 IP address of the instance. 129 00:08:38,240 --> 00:08:41,710 OK which was the 11. one that won this one. 130 00:08:43,290 --> 00:08:46,290 So this will be transformed into 12:49 the one that one. 131 00:08:46,290 --> 00:08:48,070 And then the traffic would be sent out. 132 00:08:48,330 --> 00:08:56,250 The most important thing I want you to understand here is so the client picks and if Harold Ford initiates 133 00:08:56,280 --> 00:09:03,710 the request that this commission of which is so upset over destination port is the port that is bungs 134 00:09:03,930 --> 00:09:10,410 the source of which is going to be the web server and port the destination is going to be the client 135 00:09:10,470 --> 00:09:14,900 IP address and the ephemeral port that was chosen. 136 00:09:14,970 --> 00:09:18,630 Why do they teach you all that or why do you guys spend all that. 137 00:09:18,630 --> 00:09:19,740 Very simple reason. 138 00:09:20,840 --> 00:09:26,990 Because when you are writing a rule for us to look at this list and you know where the topic will be 139 00:09:26,990 --> 00:09:32,120 coming from and where it is going you need to know what's the source for what's the source IP what's 140 00:09:32,120 --> 00:09:33,560 the point of decision. 141 00:09:33,570 --> 00:09:37,060 IP in order to be able to write the words correctly. 142 00:09:37,500 --> 00:09:38,400 OK. 143 00:09:38,750 --> 00:09:41,390 So let's see why this is very important. 144 00:09:41,510 --> 00:09:50,100 Let's look at the format of that security group inbound and outbound and inbound and outbound the inbound 145 00:09:50,160 --> 00:09:52,110 on the school group it looks like. 146 00:09:52,110 --> 00:09:58,620 So this is what you need to configure on us what's the type of your topic. 147 00:09:58,630 --> 00:10:03,880 So the DNS traffic traffic ICMP traffic EECP traffic whatever it is. 148 00:10:03,880 --> 00:10:08,950 And then once the protocol is EPEAT UDP ICMP What is the specific point. 149 00:10:09,310 --> 00:10:11,640 Twenty two is that my sequel. 150 00:10:11,740 --> 00:10:16,240 It's going to be asked is it be who is the source. 151 00:10:18,260 --> 00:10:19,650 And the source is. 152 00:10:19,960 --> 00:10:24,340 I mean if you have a specific source you can put it here if you have it and you can put it here if you 153 00:10:24,340 --> 00:10:24,630 have it. 154 00:10:24,690 --> 00:10:27,160 A source is another security group. 155 00:10:27,400 --> 00:10:33,580 You can also configure your pay if I don't know the source if it's coming from the internet. 156 00:10:33,610 --> 00:10:35,170 I'm not sure who is the source then. 157 00:10:35,260 --> 00:10:37,370 In this case just right. 158 00:10:37,380 --> 00:10:40,350 Zero zero zero zero zero. 159 00:10:40,480 --> 00:10:48,920 So that means from any source on the outbound that action what's the difference here. 160 00:10:48,920 --> 00:10:53,530 The main difference that the same fields do not change. 161 00:10:53,540 --> 00:10:57,760 I'm not talking about the values I'm talking about this is portrayed in the Paltridge brother unpredicable 162 00:10:57,770 --> 00:10:58,770 type time. 163 00:10:58,940 --> 00:10:59,890 So what are we talking about. 164 00:10:59,890 --> 00:11:00,450 I'm talking about. 165 00:11:00,440 --> 00:11:06,870 This is the source of where it is coming from going into maybe a C and he here I don't ask about the 166 00:11:06,870 --> 00:11:10,190 source because I know the sources might be because it's easy to instances. 167 00:11:10,200 --> 00:11:13,980 Now I'm concerned for the hour long for the destination. 168 00:11:14,100 --> 00:11:15,680 So when are you just coming to me. 169 00:11:15,720 --> 00:11:18,960 General who is the source unfiltered based on that. 170 00:11:18,960 --> 00:11:24,450 When it is sent from me from the BBC out I need to know who is the destination and fifth are based on 171 00:11:24,460 --> 00:11:31,740 the then I can format access control lists on the inbound direction. 172 00:11:31,960 --> 00:11:36,580 I have the rule number and I remember when we said that we have a sequence number and they are always 173 00:11:36,580 --> 00:11:38,560 inspected from the lowest number. 174 00:11:38,560 --> 00:11:41,020 So from 5 from five to 100. 175 00:11:41,290 --> 00:11:44,520 The first one that will be inspected is five and then 10 on the 15th. 176 00:11:44,620 --> 00:11:49,130 And until I get to 100 what if I don't find any of those. 177 00:11:49,220 --> 00:11:51,820 Oh I you know these rules don't have a match. 178 00:11:51,880 --> 00:11:59,360 Then you have an explicit deny all rule anything. 179 00:11:59,420 --> 00:12:03,570 All the ports all protocols all traffic for any destination. 180 00:12:03,980 --> 00:12:09,680 So if you have not configured something to allow that traffic it will be at night and that's it. 181 00:12:09,680 --> 00:12:11,520 How about that implicit. 182 00:12:11,660 --> 00:12:13,130 It doesn't show that. 183 00:12:13,400 --> 00:12:16,540 But you know it is the game. 184 00:12:16,670 --> 00:12:22,790 So here I have no idea that were denied because I can only find out here. 185 00:12:22,790 --> 00:12:25,250 I have and you know as options. 186 00:12:25,250 --> 00:12:26,900 So that's another difference. 187 00:12:27,530 --> 00:12:28,370 On the outbound 188 00:12:31,270 --> 00:12:32,140 on the outbound. 189 00:12:32,140 --> 00:12:33,160 Exactly the same thing. 190 00:12:33,190 --> 00:12:34,240 Your rules. 191 00:12:34,510 --> 00:12:38,830 And then you have the experience I have the end for anything that does not match. 192 00:12:39,060 --> 00:12:39,520 OK. 193 00:12:39,610 --> 00:12:44,350 One important distinction also between the inbound and outbound is exactly the same thing the security 194 00:12:44,360 --> 00:12:47,930 group I care about for inbound where it's coming from. 195 00:12:48,220 --> 00:12:51,560 I care for the outbound where it's going to take. 196 00:12:51,640 --> 00:12:58,150 So make no mistake about this they can't take you in the exact choices in question choices that they 197 00:12:58,150 --> 00:12:59,860 would put you in a perfect role. 198 00:13:00,070 --> 00:13:07,070 But then instead of the destination they would say source is that of the there was perfectly fine if 199 00:13:07,070 --> 00:13:11,180 it was the source of the destination or if it was the destination of the source. 200 00:13:11,180 --> 00:13:12,890 So you need to be careful about that. 201 00:13:12,990 --> 00:13:19,240 You know our next lecture we are going to look at some scenarios about security groups and access to 202 00:13:19,430 --> 00:13:24,320 some problems and then we'll see how we can think about solving them. 203 00:13:24,320 --> 00:13:29,100 The architect which will put on the architect facts and we think about it see in the next lecture.